Role-based Access Control Plugin

Challenge:

You need to have a sophisticated authorization strategy to control access to Jenkins jobs. At the same time, you desire flexibility in setting permissions that go beyond just the job level. For example, you may want to set permissions at a project or department level. You may also want to define secret projects that are only visible to the people permitted to view them.

There are multiple authorization plugins available today but each comes with some limitations. The Role-based Access Control (RBAC) plugin provided with CloudBees Jenkins Enterprise provides a very sophisticated authorization strategy that exceeds the functionality of other available options.

Solution:

The Role-based Access Control plugin gives a Jenkins administrator the ability to define various security roles that will apply to the system they administer. Once roles have been defined, the Jenkins administrator can assign those roles to groups of users. The assignment of roles can take place either at the global level or can be limited to specific objects within the system. Additionally, the Jenkins administrator can even delegate the management of groups for specific objects to specific users.

The Role-based Access Control plugin combines with the Folders plugin to provide a powerful solution for managing a Jenkins installation that is shared by multiple teams of users. The Jenkins administrator can create folders for each of the teams and then create groups in those folders for each of the roles that team members are assigned. By delegating the management of the group membership (but not the management of the roles assigned to groups) to the team leaders, the Jenkins administrator can empower the team leads to manage the permissions of their team, while reducing the administrative overhead.

You can learn more in the Role-based Access Control webinar. The Role-based Access Control plugin allows the administrator to create a role, which is a set of permissions, then leave it up to team leads and other authorized people to control who gets those roles on any given project. This separation makes it easier for teams to set the right access control, without the tediousness of clicking a large number of checkboxes.

Aside from picking up group information from external systems, such as Active Directory, CLoudBees Jenkins Enterprise lets you define groups locally, even at the folder level. This allows each team that shares the same CloudBees Jenkins Enterprise instance to rapidly add/remove members of the team, without requiring coordination with either the corporate IT or the Jenkins administrator.